CVE-2024-10394
📋 TL;DR
This vulnerability allows local users on Unix systems running OpenAFS clients to bypass PAG throttling mechanisms. By creating a PAG with an existing ID number, attackers can join that PAG and steal credentials stored within it. This affects all Unix-based OpenAFS clients with vulnerable versions.
💻 Affected Systems
- OpenAFS
📦 What is this software?
Openafs by Openafs
Openafs by Openafs
Openafs by Openafs
⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation where an attacker gains unauthorized access to sensitive AFS credentials, potentially compromising AFS file system access and impersonating legitimate users across the AFS cell.
Likely Case
Local user credential theft leading to unauthorized access to AFS-protected files and directories that the compromised PAG had permissions to access.
If Mitigated
Limited impact if proper access controls and monitoring are in place, with attackers only able to access resources within their existing privilege boundaries.
🎯 Exploit Status
Exploitation requires local shell access and knowledge of existing PAG IDs. The vulnerability is in the PAG throttling mechanism that should prevent PID reuse.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched versions
Vendor Advisory: https://www.openafs.org/pages/security/OPENAFS-SA-2024-001.txt
Restart Required: Yes
Instructions:
1. Review OpenAFS security advisory OPENAFS-SA-2024-001. 2. Update OpenAFS client to patched version from your distribution. 3. Restart OpenAFS services or reboot affected systems. 4. Verify PAG functionality post-update.
🔧 Temporary Workarounds
Restrict local user access
allLimit shell access to systems running OpenAFS clients to trusted users only
Monitor PAG creation
linuxImplement monitoring for unusual PAG creation patterns
# Monitor /proc/pid/status for PAG changes
# Use auditd or similar to track setpag calls
🧯 If You Can't Patch
- Implement strict access controls to limit local user access to OpenAFS client systems
- Deploy enhanced monitoring for PAG-related activities and credential access patterns
🔍 How to Verify
Check if Vulnerable:
Check OpenAFS version and compare against patched versions in vendor advisory. Systems with unpatched OpenAFS clients are vulnerable.Check Version:
afs_version or check package manager (rpm -q openafs, dpkg -l openafs-client)Verify Fix Applied:
Verify OpenAFS client version is updated to patched version and test PAG functionality to ensure proper throttling.📡 Detection & Monitoring
Log Indicators:
- Multiple PAG creations from same user in short timeframe
- Unexpected PAG ID reuse patterns
- Failed authentication attempts following PAG changes
Network Indicators:
- Unusual AFS file access patterns from previously inactive users
- Authentication requests from unexpected system locations
SIEM Query:
source="openafs" AND (event="PAG_creation" OR event="setpag") | stats count by user, src_ip | where count > threshold